Hood, of course, is not one to give up, so he's back again with a lawsuit filed against Google, arguing that the company has violated student privacy with its Google Apps for Education. If this sounds vaguely familiar, here's the twist: this is the same basic complaint that the EFF complained about in a filing to the FTC a year and a half ago. The EFF, of course, actively fought Jim Hood in his initial attack on Google, so it's a neat trick by Hood (and, perhaps, the MPAA?) to now use the EFF's own legal arguments against Google.

As I stated back when the EFF filed its complaint, even though we frequently agree with the EFF on things (and even though we wish Google was better on privacy), I'm still struggling to see what the privacy violation is here. The key issue is that Google signed a pledge -- the Student Privacy Pledge -- which says that when offering its apps to schools, it will safeguard student's privacy in some very clear ways. Multiple third parties, including the Future of Privacy Forum -- who helped create the very pledge Google is accused of violating -- has looked at Google's G Suite for Education and concluded that it complies with the pledge. There are no ads in the G Suite for Education, which is the main privacy issue. But the EFF's complaint was that by sync'ing student accounts, it's storing information about the students in violation of the pledge. But the sync feature is just to allow students to be able to log in from multiple devices and have the same experience -- and Google insists that none of that information is ever used for advertising or other datamining. If it turns out that's not true, then there are issues. But if Google is being accurate here, I'm just don't see where the problem is.

As far as I can tell, the FTC has done nothing with the EFF's complaint. But now it appears that (without naming EFF), Jim Hood has decided to jump in to the legal waters and claim that Google is violating its pledge on student data privacy.

It feels like someone in Hood's office (again, perhaps with some nudging from friends at the MPAA) decided that it would be a neat trick to use the EFF's own complaint against Google to go after Google yet again. It most likely will mean that EFF won't oppose Jim Hood as it did last time around. However, taking a step back and looking at the actual complaint, it's difficult to see how it will stick. As stated above, the organizations that created the very pledge in the first place have claimed that EFF is wrong (and are now saying that Hood is wrong), and that Google complies with the pledge itself. This also seems like a weird issue for Hood to focus on for any other reason than because he wants to attack Google. In fact, it's questionable how this is anything but an Attorney General using his position for something of a personal vendetta against a company he dislikes.

It will be interesting to see how Google responds to this lawsuit... and how far it can actually go.

This NSL was received in 2013, and was challenged by Cloudflare and the EFF. It's only now being made public, and that's largely due to litigation and the USA Freedom Act's changes to NSL review policies. Rather than review them every three years-to-never, the FBI must now review them more frequently. Better still, recipients are now allowed to challenge NSL gag orders within one year of receiving them. This places the burden back on the government to prove ongoing secrecy is needed.

Shortly before the new year, Cloudflare received a letter from the FBI rescinding the NSL's gag order.

The letter withdrew the nondisclosure provisions (the “gag order”) contained in NSL-12-358696, which had constrained Cloudflare since the NSL was served in February 2013. At that time, Cloudflare objected to the NSL. The Electronic Frontier Foundation agreed to take our case, and with their assistance, we brought a lawsuit under seal to protect its customers' rights.

In this particular case, the NSL itself was pulled by the FBI as a result of the lawsuit.

Early in the litigation, the FBI rescinded the NSL in July 2013 and withdrew the request for information. So no customer information was ever disclosed by Cloudflare pursuant to this NSL.

So much secrecy surrounds NSLs -- by default -- that Ken Carter of Cloudflare wasn't even able to correct a Senate staffer who told him things that were completely untrue.

In early 2014, I met with a key Capitol Hill staffer who worked on issues related to counter-terrorism, homeland security, and the judiciary. I had a conversation where I explained how Cloudflare values transparency, due process of law, and expressed concerns that NSLs are unconstitutional tools of convenience rather than necessity. The staffer dismissed my concerns and expressed that Cloudflare’s position on NSLs was a product of needless worrying, speculation, and misinformation. The staffer noted it would be impossible for an NSL to issue against Cloudflare, since the services our company provides expressly did not fall within the jurisdiction of the NSL statute. The staffer went so far as to open a copy of the U.S. Code and read from the statutory language to make her point.

That's what a gag order does: allows misinformation to go uncorrected. The staffer's interpretation of US Code may have been more to the letter of the law, but Cloudflare's Carter knew -- from personal experience -- that the FBI's interpretation was different.

Because of the gag order, I had to sit in silence, implicitly confirming the point in the mind of the staffer. At the time, I knew for a certainty that the FBI’s interpretation of the statute diverged from hers (and presumably that of her boss).

Not only does the default secrecy allow the FBI to continue to pursue questionable requests with NSLs, but it also allows it to deploy them in apparent violation of US law, right under the nose of its Congressional oversight.

Congratulations to both the EFF and Cloudflare, which worked together to protect a user's privacy against the FBI's self-issued NSL. Apparently the demand for information couldn't hold up when scrutinized by a judge for the first time. The fact that the USA Freedom Act only recently went into effect likely explains the three year-plus gap between the NSL's withdrawal and the lifting of the gag order.

While the USA Freedom Act's NSL-handling changes are an improvement, they're far from perfect. The burden of proof has been shifted to the government, but there's very little compelling it to respond to gag order challenges quickly, as the EFF points out.

Under the USA FREEDOM Act of 2015, the FBI is required to periodically review outstanding NSLs and lift gag orders on its own accord if circumstances no longer support a need for secrecy. As we’ve seen, this periodic review process has recently resulted in some very selective transparency by the FBI, which has nearly complete control over the handful of NSL gags it retracts, not to mention the hundreds of thousands it leaves in place. Make no mistake: this process is irredeemably flawed. It fails to place on the FBI the burden of justifying NSL gag orders in a timely fashion to a neutral third party, namely a federal court.

The EFF's legal battle against NSLs continues. We've seen incremental lifting of secrecy as a result of its multiple NSL challenges, but the EFF is hoping to see a court find the whole NSL scheme -- warrantless demands for user data and identifying information the FBI often uses to route around judicial rejection -- to be unconstitutional.

The EFF is seeking information not included in the Powerpoint presentation already produced by the DEA. It's looking for records on court cases where evidence derived from the program was submitted, communications between the government and AT&T concerning the program, communications between government agencies about the Hemisphere program, and Congressional briefings related to the side-by-side surveillance effort.

The government has refused to turn over much of what's been requested for a variety of reasons, the main one being infamous FOIA exemption b(5). The government has other reasons for withholding information, but this is its favorite. The court, however, finds that most of its arguments amount to little more than "because." From the opinion [PDF]:

Ultimately, the Government's declaration is too vague: it does not indicate even generally what sorts of legal issues are presented in these e-mails, nor does not explain what “features” of the Hemisphere program are at issue. That the communications were between an attorney and agency employees does not establish the documents are protected under the attorney client privilege; without more about what “features” or “legal issues” are discussed or why they might be confidential in nature, the Government has not raised enough facts to show that Document 1 may be protected by the privilege.

As for another disputed document, the court has this to say:

The Government is essentially asking the Court to presume that because it uses the word “subpoenas” and states that attorneys wrote or received emails, these documents therefore reveal attorney-client communications of a confidential nature. Merely reiterating the elements of the privilege, however, does not satisfy the Government's burden of establishing the privilege applies to this document.

Yet another disputed document:

[T]he Government does not articulate why this information is confidential or contains legal advice. While it asserts that this document contains “confidential legal advice,” again, this merely states the element without explaining the basis of that confidentiality.

The review of documents concludes with the court pointing out that the government's sole justification for its bare minimum explanations works against it:

Finally, while the Government argues its generalized descriptions are sufficiently specific to show the documents contain “confidential legal advice,” it relies only on cases that demonstrate how its support in this case is lacking. [...] The Court is not asking the Government to make a herculean effort, merely something beyond regurgitation of the elements.

The court remains less than impressed with the government's lack of effort throughout the remainder of the opinion. It's as if the government assumed the court would rubber-stamp its bare-bones assertions.

[T]he Government makes no further reference to any current or foreseeable litigation in either its supporting declarations or Vaughn Index or provide other context that would allow the Court make a de novo review of the Government's work product assertions. Again, the Government cannot satisfy its burden of proof by relying on a mere recitation of the elements.

[...]

Nor does the Government meet its burden merely by referring to law enforcement efforts.

[...]

The Government merely recites the elements necessary to establish the privilege, but it does not explain why they are met, such as explaining why these particular documents relate to some anticipated litigation.

[...]

[T]he Government does not explain how the disclosure of these documents would affect its deliberative process by preventing or discouraging DEA employees or affiliates from giving their honest opinions, recommendations, or suggestions on how to develop policy decisions.

[...]

None of the Government's evidence suggests that exposing these documents would interfere with law enforcement proceedings.

The court also finds the government cannot withhold information related to cities Hemisphere was deployed in or agencies involved under FOIA exemptions. As the court sees it, the fearful assertions made by the government have no basis in observed reality.

The Government asserts this information “could be used by criminals to disrupt law enforcement operations or obtain unauthorized access to information about such operations.” But the Government does not explain how criminals could do this by using information about the cities and states where Hemisphere. EFF also notes that the public already knows that Hemisphere has regional centers in Atlanta, Houston, and Los Angeles, but the Government presents no evidence suggesting criminals have used this publicly available information to disrupt law enforcement operations or obtain unauthorized access to information.

The same goes for the names of the telecommunications companies the DEA worked in concert with to obtain telephone records.

[T]he Government asserts criminals could use this information to “tailor or adapt their activities to evade apprehension,” or “to attack facilities involved in the Hemisphere program.” In response, EFF argues the public has known for two and a half years—that is, since The New York Times‟ 2013 article on it—that AT&T supports Hemisphere, and the Government has not shown or even argued that criminals have ever attempted to use this information to evade or disrupt Hemisphere.

The Court agrees with EFF that the Government has not provided facts showing why it is likely criminals would use the identities of the companies that are instrumental to Hemisphere to evade or attack Hemisphere-related facilities.

The next step is an in camera review of the documents by the court to determine whether or not there's anything in these documents the government is justified in withholding. So far, the court appears unconvinced the government is engaged in anything more than opacity for opacity's sake. If the review goes as badly for the government as its FOIA lawsuit defense has, a lot more information on the Hemisphere program should be headed our way.

from the shame:-the-universal-motivator dept

One of the reforms included in the USA Freedom Act is the actual ability to challenge National Security Letter gag orders. Prior to the passage of this bill, recipients were limited to challenging gag orders once per year -- challenges that rarely succeeded. The process is no longer restricted to annual challenges, but many recipients won't be aware of this fact because the FBI hasn't been interested in telling them.

The NSL we received includes incorrect and outdated information regarding the options available to a recipient of an NSL to challenge its gag. Specifically, the NSL states that such a challenge can only be issued once a year. But in 2015, Congress did away with that annual limitation and made it easier to challenge gag orders. The FBI has confirmed that the error was part of a standard NSL template and other providers received NSLs with the same significant error. We don’t know how many, but it is possibly in the thousands (according to the FBI, they sent out around 13,000 NSLs last year). How many recipients might have delayed or even been deterred from issuing challenges due to this error?

Having been caught using outdated boilerplate, the FBI will now be sending out thousands of correction letters [PDF]. It's not as though the FBI wasn't aware of the changes in the laws governing NSLs. It likely found it more conducive to its secrecy aims to allow the old boilerplate to remain until recipients caught on.

Not only will the FBI be updating its NSL boilerplate, but it has apparently been shamed into transparency… at least in this particular case. The gag order on this NSL has been dropped and the Internet Archive is allowed to publish the redacted request.

The request asks for all personal information related to the targeted accounts from "inception to present." But there's another problem with the request which goes beyond outdated boilerplate. As the EFF's letter to the FBI [PDF] points out, the Internet Archive isn't the sort of entity the FBI can actually serve an NSL to.

18 U.S.C. 2709 is inapplicable to the Archive in this matter because the Archive is a library. Under 2709(g), the FBI cannot issue an NSL demanding records -- or imposing a nondisclosure requirement -- to libraries unless they are providers of wire or electronic communications services. The NSL does not specify which of the Archive's services it seeks records from and thus does not identify any context in which the Archive is a provider of a wire or electronic communication service.

The letter also points out that the FBI's gag order is unconstitutional prior restraint, something that runs contrary to the First Amendment. Of course, it's one thing for an NSL recipient to make this allegation. It's quite another to have it confirmed by a federal court. The EFF's constitutional challenge of NSL gag orders is currently awaiting review by the Ninth Circuit Court of Appeals. Whatever conclusion the court arrives at, there's little doubt that it will ultimately make its way to the US Supreme Court. Whether or not the Supreme Court decides to address it is likely still at least a year or two away.

But the voluntary lifting of a gag order by the FBI is a positive development -- one that suggests the more these orders are challenged, the more often the government will discover its demands for indefinite secrecy are rarely supported by the facts of the case.

from the most-transparent-administration-still-all-about-forced-transparency dept

Thanks to the EFF's efforts, another set of National Security Letters have been published and their recipient freed to discuss them. CREDO Mobile received two NSLs in 2013 -- both accompanied with the usual indefinite gag order. The NSLs [PDF 1] [PDF 2] requested a wealth of data on three of CREDO's customers -- including all call records, financial information (credit cards used, etc.), and personal information (name, address, etc.) -- dating back to April 2008.

“A founding principle of CREDO is to fight for progressive causes we believe in, and we believe that NSLs are unconstitutional. These letters, and the gag orders that came with them, infringed our free speech rights, blocking us from talking to our members about them or discussing our experience while lawmakers debated NSL reform,” said Ray Morris, CREDO CEO. “We were proud to fight these NSLs all these years, and now we are proud to publish the letters and take full part in the ensuing debate.”

CREDO's challenge to the gag order was upheld [PDF] by a federal judge in March, who struck it down when the FBI failed to show a need for the continued secrecy. This decision was held pending the FBI's appeal, but the government apparently decided this wasn't a battle it wanted to fight and dropped its appeal of the court's order.

The government's decision to drop the appeal highlights one of the (many) problems with NSLs. These are self-issued administrative orders subject to very little, if any, oversight. The FBI can issue as many of these as it wants without ever having to get a judge involved. Every one of these arrives with an indefinite gag order attached, forcing recipients to lawyer up if they want to challenge the government's demands for secrecy.

The government clearly felt it couldn't demonstrate why this gag order should still be in place. But the government doesn't have to justify its demands for secrecy at the point the NSL is issued. It only needs to do this if challenged in court. While some judges have expressed an interest in periodic reviews of NSLs to determine the need for ongoing secrecy, these conclusions are the exception rather than the rule.

That judges are the ones making this determination is another part of the problem. In response to the USA Freedom Act, the DOJ instituted a policy requiring a "periodic" review of issued NSLs. Unfortunately, that's all it does. There's no definition attached to "periodic," which means the review could happen every few years… or never.

The constitutionality of the orders themselves should still be actively challenged. While much of what is sought with these falls under the very generous definition of "third party records," the lack of any oversight or judicial review makes these the go-to tool for the FBI -- which has been known to issue NSLs when its warrant requests are turned down by federal courts. Throw an indefinite gag order on it, and the FBI can pretty much ensure complete compliance from recipients, whose only option is to fight an often-futile legal battle against the government.

from the hmmm dept

The copyright case involving Stephanie Lenz and her dancing baby is one that may finally be nearing a conclusion after many, many years -- but it's not over yet. As you may recall, Lenz posted a very brief clip of her then toddler, dancing along to a few seconds of a barely audible Prince song. This was almost a decade ago.

Universal Music sent a DMCA takedown, and that kicked off a big fight over fair use, with the EFF representing Lenz and arguing that Universal Music needed to take fair use into account before issuing takedowns. The case then bounced around courts for nearly a decade with a variety of rulings, eventually getting a huge confusing mess of a ruling from the 9th Circuit last year, followed by an only marginally better mess earlier this year in an en banc decision replacing the original one.

Both EFF and Universal Music asked the Supreme Court to hear different questions about the messy 9th circuit ruling, and lots of other folks weighed in with amicus briefs, including internet companies and the RIAA (not on the same side, as you might imagine). The general consensus seemed to be that it was a long shot that the Supreme Court would bother with the case, even as it was kind of a mess, but the Supreme Court this morning kept things alive by asking the White House Solicitor General to weigh in (on page 2 of the document).

LENZ, STEPHANIE V. UNIVERSAL MUSIC CORP., ET AL.

The Solicitor General is invited to file a brief in this
case expressing the views of the United States.

So... now everyone gets to sit and wonder what the hell the Solicitor General is going to say. The fact that former MPAA lawyer Donald Verrilli is no longer the Solicitor General is at least mildly encouraging, since his views on copyright appeared to be positively draconian. But it's anybody's guess how the acting Solicitor General, Ian Gershengorn, and his staff will respond to the request. I don't think Gershengorn has much experience with copyright issues, but prior to jumping into the Obama administration, he did work at Jenner & Block, which was where Verrilli worked as well. And others on the staff have been shown to have some wacky ideas about copyright in the past.

But, for now, we'll have to wait and see -- but it also means that the case is still alive. With any luck, it'll be over before Lenz's "dancing baby" graduates high school.

from the regulatory-capture dept

Earlier this week we wrote about the revelation, via a FOIA request by the EFF, that the Copyright Office consulted heavily with Hollywood (the MPAA directly, and a variety of movie studios) before weighing in on the FCC's set top box competition proposal. As we noted, the Copyright Office's discussion on the issue involved completely misrepresenting copyright law to pretend that an agreement between to industries (content studios & TV companies) could contractually wipe out fair use for end users. That's... just wrong. The FCC's proposal had absolutely nothing to do with copyright. It was just about letting authorized (paying) customers access content that was already authorized through other devices. What the FOIA request revealed was that the Copyright Office not only had many, many, many meetings with Hollywood, but that it actually prioritized those meetings over ones with the FCC -- and lied to the FCC to say that key Copyright Office personnel were not available the very same week they were meeting with the MPAA, in order to push back the meeting with the FCC.

It was a pretty big deal, given the Copyright Office's reputation for acting as a taxpayer-funded lobbying arm for Hollywood. Of course, the MPAA is now mocking the EFF over this story, with a blog post by Neil Fried, one of the top lobbyist's for the MPAA, and someone who features prominently in the conversations with the Copyright Office revealed by the FOIA request. The crux of Fried's post is that there's no news in the revelations, and that the Copyright Office met with the MPAA because the MPAA asked to meet with it.

The bottom line is that the Copyright Office did not approach stakeholders, selectively or otherwise. It spoke with any and all comers who asked for the opportunity. It then examined the issues and met its statutory obligation to advise federal agencies and Congress on the law. Any EFF suggestion to the contrary is entirely false.

Of 310 pages EFF has “uncovered” in a Copyright Office FOIA request, 232 are transmittals of FCC filings, congressional letters, and other documents from all sides that were already public. The remaining 78 are almost all snowballing email chains to schedule meetings and calls—also from parties on all sides, including the FCC itself and device maker TiVo.

That's... fairly misleading. It's true that there are those pages of email chains trying to schedule meetings, but the vast majority of those are from the MPAA or other Hollywood representatives. And those meetings are clearly eagerly being scheduled by the Copyright Office prior to meeting with the FCC to help shape the Copyright Office's response. The MPAA conveniently leaves out the Copyright Office's meeting with the FCC being pushed off so that the Office can meet with the MPAA first (and even telling the FCC that a key member of the Copyright Office is not available the same week she's meeting with the MPAA). Also, the "TiVo" meeting wasn't even on "the other side" of the debate, really, as the letter there notes that TiVo "will be advocating a simpler solution" compared to what the FCC proposed. It's also noteworthy that this meeting occurred on August 2nd of this year. That was the first time TiVo met with the Copyright Office, but by then the Copyright Office's position was set, as its response was delivered the very next day. The MPAA, on the other hand, first met with the Copyright Office back in early April and met a few times after that as well. So to say that the meetings were on the same level is clearly not true.

The documents reflect what we know to be true. The Copyright Office did not “jump into this fight,” as EFF asserts. Rather, it studiously avoided being brought into the debate until: 1) Chairman Wheeler asked for its analysis, and 2) Members of Congress requested it share that analysis so everyone, not just the FCC, could benefit from its expertise.

Right. About that. That's not true either. As the FOIA documents reveal, then head of the Copyright Office Maria Pallante apparently went directly to Congress and requested that it make a formal request to the Copyright Office to send an opinion on the FCC's proposal. It appears that Fried either missed or ignored this bit of the FOIA request in which a staffer for Rep. Ted Deutch contacts the Copyright Office asking for input on what Deutch should put into the letter requesting the Copyright Office weigh in, and explicitly noting that the reason it was doing so was because they had been told that Pallante wanted them to make that request.

That, uh, certainly doesn't look like "avoiding being brought into the debate" until after Congress requested it. It looks like the head of the Copyright Office going directly to Congress and concocting an excuse to publicly weigh in on the debate against the FCC. As a side note, there is plenty of talk that a big part of the reason why Librarian of Congress Carla Hayden was annoyed with Maria Pallante was her penchant for going directly to members of Congress with her own views concerning the Copyright Office, and this seems like just another example of that). Update: As pointed out in the comments, this potentially leaves out some context, in that the emails also show officials in the Copyright Office being surprised about the claim that Pallante wants Congress to weigh in an email (not from Pallante) saying that they're already coordinating with the FCC, which could be interepreted as asking not to have Congess make the request. Of course, that doesn't answer how Deutsch got the information that Pallante wanted him to make a formal request.

Finally, Fried basically mocks the EFF, suggesting that it's just upset that it didn't think to lobby the Copyright Office as aggressively as Hollywood did:

Like anyone else, the EFF could have just as easily made its own inquiries, rather than issue a hyperbolic blog complaining about the entirely legitimate practice of a government agency communicating with a range of parties.

Yes, well, the EFF is a small non-profit. The MPAA is a giant machine of Hollywood with offices blocks away from the White House. Guess who has better access and resources to bug the hell out of the Copyright Office and get it to side (once again) with misleading claims about copyright law?

Besides, when your argument boils down to "sure, the Copyright Office is a captured agency, and if you don't like it, go capture your own agency..." it's not exactly a ringing endorsement for functional policymaking.

Today's the last day of Internet Privacy Week, but the ongoing fight for online privacy is far from over. That's why we're promoting the new Internet Privacy Bill Of Rights to companies that provide online services. We need you to help us spread the word by signing the bill, and by doing so you'll be raising money for the EFF! For every 500 signatures, Namecheap and its partners will donate $5,000 to the EFF for its important and continuing role in defending online privacy.

The idea behind the Bill Of Rights is to get online service providers to agree to respect five key user rights in terms of how their services collect and handle personal data:

Right of transparency: Users have a right to know what is actually being done with their data in clear, understandable terms — not buried in legalese written in tiny print.

Right of control: Companies should give users the ability to control their data and how it is used, including asking specific permission at the time of use, rather than just at the point of signup.

Right of recourse: Individuals should be able to protest certain uses of data, and companies should set up a process with a dedicated person to handle these concerns.

Right of export: When reasonable, users should be able to export their data in a useable format.

Right of due process: Whenever possible, companies should alert end users to government requests for their data, or civil subpoenas for identifying information allowing them to use legal processes to protect such data.

We believe this sort of collaborative approach is the best first step to protecting internet privacy and avoid the dangers of poorly-crafted, over-burdensome regulations and a data free-for-all. So please help us out and sign the Online Privacy Bill Of Rights today! (We know there has been some confusion around the particular method of gathering signatures, which is using a "giveaway" platform. Please note you can sign the petition using either Facebook or a name and email, and the platform's privacy policy is prominently posted at the bottom of the page.)

from the FBI-still-not-a-fan-of-the-Constitutional dept

In a rather quick turnaround, the EFF has had its brief [PDF] it filed under seal in September unsealed by the Ninth Circuit Court of Appeals. The brief challenges the FBI's use of gag orders with its National Security Letters -- the administrative subpoenas the FBI issues to recipients without having to run them by a judge.

Unfortunately, the brief has been heavily redacted and both the appellee and appellant remain undisclosed. The filing challenges NSL gag orders, claiming them to be unconstitutional infringements on the First Amendment. The EFF is arguing on behalf of its redacted clients, both "electronic communications providers."

Beyond preventing the providers from informing the FBI's targets that their communications/data are being turned over to the government, the EFF points out that the gag orders have been stopping them from discussing these limitations with Congress -- even to the point of correcting bad information given to legislators by the FBI itself.

An NSL gag prevented [redacted] Appellant from correcting [lengthy, two-line redaction] and that [another lengthy redaction] ER 129. Similarly, an NSL gag prevented [redacted] Ithrough its [redacted] from telling Congress and the public about [redacted] experiences as an NSL recipient and explaining why those experiences informed its belief that the FBI-supported amendments to the NSL statute proposed in 2014 (and later enacted) would be insufficient to remedy problems with the FBI's use of NSLs.

This is spelled out a little more explicitly later in the filing.

But as discussed above, the gag orders had the direct effect of preventing [redacted] from informing a legislative official [redacted] that [redacted] seriously misapprehended the scope of that statute.

During the period when this legislation was being argued, recipients of these letters were forbidden to discuss them, providing the FBI with a handy, one-sided platform to deploy its arguments in favor of the changes it wanted.

As the law stands now, the FBI can issue as many NSLs as it wants (and it does, at a rate of well over 10,000 per year) without judicial oversight and demand recipients never discuss them. The only judicial review these NSLs receive is after the fact and that's only if the court feels NSL recipients are actually in a position to demand periodic review of indefinite gag orders.

The FBI can also review gag orders itself to see if they're still justified, but it's wholly internal and the process allows the agency to decide in its favor every time. It places the FBI under no obligation to turn over its internal findings to Congressional oversight or even inform recipients when investigations are closed and a gag order could theoretically be lifted.

But for all the arguments about means, methods, terrorism, ongoing investigations or whatever, it is the FBI is using to justify issuing tens of thousands of gag orders every year, it's still nothing more than indefinite prior restraint.

The gag order provision of the NSL statute violates the First Amendment for two independent reasons.

First, the statute lacks the substantive and procedural requirements necessary to uphold a prior restraint because it allows the government to unilaterally impose indefinite gags on recipients and, in the rare instance that a court reviews the gag, requires the court to approve it upon a showing of the mere possibility of harm. The district court justified upholding the NSL statute only by inventing a new category of prior restraints involving “non-customary” speakers as a basis for reducing the First Amendment protections against prior restraints.

Second, the statute is a content-based restriction that fails strict scrutiny because it allows the FBI to impose indefinite, overinclusive gags that bar recipients from discussing government conduct without any consideration of less restrictive means of protecting national security.

This Court should reject the district court’s improper departure from established First Amendment law and hold that the NSL statute is unconstitutional.

The FBI's NSL closed-loop needs to be cracked open. It's writing itself permission slips for data and other records from service providers at a rate of more than 30 times a day and demanding secrecy forever in almost every case. It's not just screwing with companies, their customers, and a few Constitutional amendments (1st, 4th, 5th), it's actually preventing lawmakers and oversight committee members from hearing the other side of the argument when crafting legislation.

from the jumping-ahead-of-the-threat dept

A few more wrinkles have appeared in the EFF's attempted legal destruction of the DMCA's anti-circumvention clause. Back in July, the EFF -- along with researchers Bunny Huang and Matthew Green -- sued the government, challenging the constitutionality of Section 1201 of the DMCA. As it stands now, researchers are restricted by the limitations built into the anti-circumvention clause. The Library of Congress can grant exceptions, but these are only temporary, lasting three years and generally vanishing at the end of that term.

Projects and research efforts continue to be thwarted by this provision, opening up those who circumvent DRM and other protective measures to the possibility of prosecution. And their options when facing charges are severely limited. There is no "fair use" exception to Section 1201 of the DMCA -- something the EFF would like to see changed.

The threat of prosecution may be mostly existential, but it's still far from nonexistent. This is why the EFF has requested a preliminary injunction that would prevent the DOJ from trying to put its client in jail.

The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.

[...]

But publishing the book, tentatively entitled Practical Cryptographic Engineering, could land Green in jail under an onerous and unconstitutional provision of copyright law. To identify security vulnerabilities in a device he has purchased, Green must work directly with copyrighted computer code, bypassing control measures meant to prevent the code from being accessed.

The injunction request [PDF] points out that -- in addition to the anti-circumvention clause being a form a prior restraint -- Green will be performing the sort of actions the DOJ has prosecuted people for in the past.

A rigorous and effective audit of a computer system’s security requires that Dr. Green analyze the software controlling the system. Often, secure computer systems prevent access to their software code through technological protection measures (“TPMs”) such as encryption, username/password combinations, or physical memory restrictions preventing a user from accessing certain stored information. An adversary seeking to extract information about the software code or about the system’s user, or to install their own malicious software, would seek to bypass these measures in order to maximize their ability to locate and exploit vulnerabilities.

To identify security flaws, Dr. Green must do the same; indeed, finding and reporting on the vulnerability of these access controls is a critical part of auditing the security of the system. If he does not bypass access controls in a computer system, Dr. Green’s research is significantly limited. While he may be able to discover some vulnerabilities, he cannot determine with confidence whether devices are secure against an adversary willing to circumvent access controls.

The DOJ has already responded (sort of) to some of the claims raised in the EFF's injunction request. Its motion to dismiss [PDF] -- filed the same day as the EFF's injunction request -- claims the EFF and Matthew Green have no standing to challenge Section 1201 of the DMCA. Not only that, but they cannot provide any evidence prosecution is likely if Green continues with his research work.

Plaintiffs’ claims should be dismissed in their entirety. As an initial matter, Plaintiffs lack standing to raise their First Amendment claims on a pre-enforcement basis because the assertions in their Complaint fail to establish a credible threat of prosecution, under the DMCA’s criminal enforcement provision, for engaging in constitutionally-protected activity. None of the Plaintiffs claims to have been threatened with criminal prosecution. Plaintiffs’ conclusory assertion that others have been prosecuted under the DMCA in the past, for unidentified reasons, is insufficient to establish that Plaintiffs face a credible threat, as is their assertion that third parties might bring suit against them under a separate civil private right of action. Moreover, Plaintiffs fail plausibly to assert that the acts of circumvention and trafficking that they wish to undertake qualify as speech or expressive conduct that is entitled to First Amendment protection but prohibited by the DMCA.

The DOJ's arguments roughly align with the assertions made in its motion to dismiss in a lawsuit brought by security researchers and the ACLU against the much-hated CFAA. Once again, the DOJ recognizes that Green's book may be covered by the First Amendment, but actions taken during its compilation may not be.

In both cases, though, the statutes lend themselves to punishing security researchers for performing security research. While the DOJ may have no intention of prosecuting Green for his work, the anti-circumvention clause allows it to hold onto that option for as long as it wants to. The only way to guarantee this won't happen is to obtain an injunction, but chances are the court won't be as interested in staving off the theoretical as it will be in examining the First Amendment claims.